Saturday, March 31, 2012

The email indicates that you have been charged a random amount of money to have a shipping label created. In this case, we were charged $47.44. Because we haven't really ordered a shipping label, we might be upset to be charged, and click the "USPS Click-N-Ship" link that APPEARS to take you to "www.usps.com/clicknship".

In reality, there are more than eight hundred destination webpages on more than one hundred sixty (160) websites were advertised in emails that we saw in the UAB Spam Data Mine that use this template, but none of them go to the United States Postal Service.

A single destination would have many subdirectories, all created by the hacker, that contained the link. For example, this Czech website:

This was a very light campaign, compared to many that we have seen recently. We received more than half of these emails in a single 15 minute span ending at 7:15 AM our time - which would be 8:15 AM on the US East Coast. We have the theory that the new spam campaign, with a never-before-seen malware sample, is sent at the beginning of the East Coast day as a way to get maximum infections in places like New York City and Washington DC.

A Sample Run

Each day in the UAB Computer Forensics Research Laboratory, students in the MS/CFSM program produce a report shared with the government called the "Emerging Threats By Email" report. They take a prevalent "new threat" in the email from that day and document it's action, in part by infecting themselves with the malware! Here's a sample run through I did this morning using the techniques followed in our daily report.

We begin by visiting a website advertised in the spam. In this case, I chose:

allahverdi.eu (109.235.251.244) /BSg1hNCZ/index.html (400 bytes)

These "email-advertised links" each call javascript files from a variety of other sites. In this example run, visiting the site caused us to load Javascript from the URL below.

uglyd.com/xTnfi7mG (210.193.7.161) / xTnfi7mG/js.js (81 bytes)

This javascript file sets the "document location" for the current browserwindow to be "http://178.32.160.255:8080" with a path of showthreat.php ?t = 73a07bcb51f4be71. This is a Black Hole Exploit kit server, which causes the rest of the infection to be continued.)

This is the location my run gave this morning . . . yesterday morning's run used a different Black Hole Exploit Kit location:

The next two files are dropped because of the Java execution of "Pol.jar".

At the time of the UAB Emerging Threats by Email report on Friday morning March 29th, the Virus Total detections for this malware were "2 of 42". More than 20 hours later the detection is still only "19 of 42".

The "Zeus file" (the 323,624 byte one) copies itself into a newly created randomly named directory within the current user's "Application Data" directory. In the current run, it disguised itself with a "Notepad" icon, claiming to be "Notepad / Microsoft Corporation" in it's properties. The file was named peix.exe (but that's random also.) The file does an "in place update" so that my MD5 modified without changing the filename. My new MD5 of this morning was:

Antivirus companies don't use the same names for most of this stuff as cybercrime investigators. So, for instance, in the Microsoft Lawsuit last week, they described criminals involved with three malware families = Zeus, SpyEye, and IceIX. All of these would show a "Zbot" or "Kazy" detection in the group above. PWS means "Pass Word Stealer." "pak", "XPACK", and "kryptic" just mean that the malware is compressed in a way that implies it is probably malicious.

The bottom line is that this very successful malware distribution campaign has tricked people into installing something from the broader Zeus family (whether Zeus, SpyEye, or IceIX doesn't really matter to the consumer). Once compromised, that computer is going to begin sharing personal financial information with criminals, and allowing remote control access to the computer from anywhere in the world to allow further malicious activity to occur.

Wednesday, March 28, 2012

Operation Ghost Click

Last November, the main FBI.gov website headline was "DNS Malware: Is Your Computer Infected?". The story detailed the arrest of six Estonian criminals who had infected more than 4 million computers with malware that changed Domain Name Server settings on the impacted computers. The impact of this change was that when a user typed an address in their web browser, or even followed a link on the web page, instead of asking their Internet Service Provider's DNS server where they should go to reach the computer that had that name, they would ask a DNS server run by the criminals.

Most of the time, the traffic still went to the correct address. But at any time of the criminals' choosing, they could replace any website with content created or provided by the criminals. This allowed them to do things like place an advertisement for an illegal pharmaceutical website selling Viagra on a website that should have been showing an advertisement paid for by a legitimate advertiser.

The case, called "Operation Ghost Click" was the result of many security professionals and researchers working together with law enforcement to build a coordinated view of the threat. The University of Alabama at Birmingham was among those thanked on the FBI website.

DNS Servers and ISC

This case had one HUGE technical problem. If the criminals' computers were siezed and turned off, all of the four million computers that were relying on those computer to "find things" on the Internet by resolving domain names to numeric IP addresses for them would fail. They wouldn't just "default back" to some pre-infection DNS setting, they would just stop being able to use the Internet at all until someone with some tech-savvy fixed the DNS settings on those computers.

Because of this, the court order did something unprecedented. Paul Vixie, from the Internet Systems Consorium, a tiny non-profit in California that helps to keep name services working right for the entire world, was contracted to REPLACE the criminals' DNS Servers with ISC DNS Servers that would give the right answer to any DNS queries they received. Vixie wrote about his experience with this operation in the CircleID blog on Internet Infrastructure on March 27th.

The problem, as Vixie, and other security researchers such as Brian Krebs, have related is that the court order was supposed to be a temporary measure, just until the Department of Justice managed to get everyone's DNS settings set back the way they were supposed to be. Back in November, the court decided March 9th would be a good day to turn off the ISC DNS servers.

But are you STILL infected?

Unfortunately, the vast majority of the 4 million compromised computers have not been fixed. On March 8th the court agreed to give them an extension until July 9th. (Krebs has a copy of the court order here)

But how do you know if YOU are still infected?

CLICK THIS PICTURE

When I visit the website "DNS-OK.US" I get a green background on the image (shown above) which tells me that my computer is not using a DNS server address that formerly belonged to an Estonian cybercriminal. (The website is available in several other languages as well.)

The tech behind this is that the website is checking to see if you resolve your DNS by using an IP address in the following ranges:

The DNS Changer Working Group has a CHECKUP page and a DNS CLEANUP page to explain this process to technical people. Any "computer savvy" person should be able to follow their guidelines to get the job done.

Monday, March 26, 2012

On March 24, 2012, Microsoft unveiled a joint lawsuit with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the National Automated Clearing House Association (NACHA). Based on a Temporary Restraining Order filed as part of the Law Suit, Microsoft and their agent, Stroz Friedberg, accompanied by U.S. Marshals, served their TRO at the BurstNET facility in Scranton, Pennsylvania, and at Continuum Data Centers in Chicago, Illinois. Servers named in the TRO were allowed to be monitored to capture four hours of network traffic before taking the servers into possession where they will be held in Escrow by Stroz Friedberg.

In addition, more than 1700 domain names were redirected to the Microsoft IP address 199.2.137.141. While at first, I thought it would be a useful service to our readership to list the 1700+ domain names, I believe (and will hopefully have confirmation from Microsoft shortly) that it would be sufficient for network administrators to look for traffic destined to this new "rerouted" address. If you have a computer on your network sending traffic to 199.2.137.141, my current understanding is that this computer is likely attempting to send traffic to one of the domains that are subject to this TRO, and that this is an indication that computer may be infected with Zeus, ICE-IX, or SpyEye. Appropriate security measures will vary based on the role and use of that computer within your organization, but password changes of any accounts accessed from that computer, and malware removal would be minimum steps.

The lawsuit names "John Does 1-39" which are described by their online monickers or "handles", many of which will be well known to anyone who has been researching Zeus:

The Temporary Restraining Order seizes 1,703 domain names! Each domain name is listed with the role that it played in the overall scheme to infect computers and steal data from their users. For example:

A "source" would be a domain that was advertised in an email. An "embedded_js" would be a site to which the source redirected to load hostile java script. A "dropzone" would receive credentials from an infected computer. An "updater" would push additional or new commands, configurations, or malicious code to the already compromised computers.

Microsoft

In a 179 page Declaration, Mark Debenham, a Senior Manager of Investigations in the Microsoft Digital Crimes Unit, lays out the overall structure of the Zeus gang and the way in which Zeus infects users and steals money. He describes the three-fold purpose of Zeus as to infect end-user computers in order to:

(1) steal credentials for online accounts, such as account login information for Microsoft or other websites, or financial and banking credentials, from the owners or users of those computers.

(2) access the victims' online accounts with the stolen credentials, and

(3) transfer information or funds from the victims' accounts to accounts or computer controlled by the Defendants.

Debenham goes on to say that three inter-related malware families are the subject of this lawsuit -- Zeus, Ice-IX, and SpyEye, and that all were created and sold by the individuals using the handles:

Slavik, Monstr, Harderman, Gribodemon, and nvidiag

John Doe 1 is identified as the Zeus botnet code creator, who uses the handles Slavik, Monstr, IOO, and Nu11. bashorg@talking.cc

John Doe 2 is identified as the creator of Ice-IX, who uses the handles nvidiag, zebra7753, lexa_mef, gss, and iceIX. iceix@secure-jabber.biz. ICQ 610875708.

John Doe 3 is identified as the creator of SpyEye, who uses the handles Harderman and Gribodemon. shwark.power.andrew@gmail.com, johnlecun@gmail.com, gribodemon@pochta.ru, glazgo-update-notifier@gajim.org, gribo-demon@jabber.ru.

John Doe 4 is identifed as an operator within the "JabberZeus Crew" who recruits money mules and uses them to cah out stolen credentials. He uses the handles Aqua, aquaSecond, it, percent, cp01, hct, xman, and Pepsi. aqua@incomeet.com, ICQ 637760688.

etc.

NACHA

In a separate 163 page declaration, Pamela Moore, the Senior Vice President and Chief Financial Officer of NACHA documents the particular harm caused to NACHA, showing that in same cases the volume of documented spam messages imitating NACHA rose as high as 167 million emails in a single 24 hour period.

According to Moore's affidavit, just in the month of November 2011, NACHA was responsible for terminating 555 websites that were distributing malicious content linked from an email message imitating NACHA. As a small business with less than 100 employees, NACHA has been hit with $624,000 in costs responding to the emails that falsely claimed to be from her organization.

Moore's declaration contains her 15 page statement followed by page after page of documented evidence supporting that false and misleading emails were sent out related to these Zeus actors.

American Banking Association

William Johnson of the American Banking Association also entered a statement of support. Johnson serves as the Vice President and Senior Advisor for Risk Management Policy for the ABA. He also chairs the ABA's Information Security Working Group and their Bank Security Committee. In addition, Johnson is on the board of the FS-ISAC, on the Steering Committee for NACHA's Internet Council. The ABA is of huge importance to the banking world. 92% of the $13 Trillion in U.S. Banking assets are held by ABA members.

Statistics shared by Johnson include: - 2010 was the first time where electronic debit card fraud exceeded traditional check card fraud - 96% of all banks incurred losses from debit card fraud in 2010. Community Banks experiencing such fraud grew from 61% in 2006 to 96% in 2010. - In 2009, 36% of banking customers said "online banking" was their primary means of interacting with their bank. In 2010 it was 62%. - In 2011 4.9% of the U.S. adult population was a victim of identity theft. - In 2009, the average victim of identity theft spent 68 hours and $741 in costs repairing the damage caused by identity theft.

Kyrus Technologies

Jesse Kornblum (yes, THAT Jesse Kornblum!) of Kyrus Technologies also prepared an affidavit of support for the lawsuit. Jesse was a Computer Crime Investigator for the Air Force Office of Special Investigations, ultimately becoming the Chief of the Computer Crime Investigations Division of the Air Force Office of Special Investigations.

In his role at Kyrus Technologies he and his team reverse engineered many of the Zeus malware binaries, comparing known source code and various binaries, and showing conclusive evidence of shared code between SpyEye, ICE-IX, and Zeus (which they refer to as PCRE). For the malware reverse engineering geeks, be sure to read the Kornblum Declaration (55 page PDF).

Orrick, Herrington, Sutcliffe

Kornblum's declaration was for the malware geeks. For the lawyers in the readership, Jacob Heath of the law firm Orrick, Herrington & Sutcliffe LLP also makes a declaration in support of the call for the Temporary Restraining Order. Orrick is the counsel of record for Microsoft in this matter.

They have arranged the website on which these procedings are located, as well as the publication of proceedings throughout "Russia, Ukraine, and Romania, where Defendants are generally believed to reside."

Heath's declaration - part one carefully walks through the finer points of ICANN's Policies and procedures showing the clauses that give them the rights to suspend, cancel, or seize the domain names in question, as well as terms of service at BURSTNET (AKA Network Operations Center, Inc.) that require the client's to register domains using truthful information. "Failure to comply fully with this provision may result in immediate suspension or termination of your right to use BurstNET(R) Services" and also showing the BurstNET policies stating that BurstNET services "may be used only for lawful purposes" and specifically banning malware, botnets, spam, or phishing uses of these services.

How thoughtful of Microsoft to help BurstNET enforce these policies!

For many more details, and a video about this weekend's raid at BurstNet in Scranton, Pennsylvania, please see the Official Microsoft Blog.

Sunday, March 25, 2012

When we wrote last week about Operation Open Market the court documents had not yet been released in a major multi-agency Identity Theft case which targeted criminals who traded in the identities of others through the online site "Carder.su" and its affiliated other sites. We profiled the prior identity theft career of one of the charged, Jonathan Vergnetti, while we waited for the rest of the court documents to be made publicly available.

Now we are part way there. We have received copies of all three of the indictments related to this operation. Today we'll focus on the largest of the three cases, which still has a considerable amount of data redacted in the version that has been released by the courts. I refer to this case as "The Vendors" case because most of those charged were approved vendors of services in the Carder.su framework. The case, known as "No: 2:12-CR-004" in the PACER system, currently charges 39 defendants in the U.S. District Court of Nevada.

DISCLAIMER: The data below is a reflection of the CHARGES. Of course these dirty rotten identity thieves are presumed innocent until convicted in a court of law.

[REDACTED] indicates someone whose identity is being suppressed for the time being, but "John Doe" indicates someone who is known only by their online monickers such as those used at Carder.su. Authorities may be interested in learning more true identities of John Does if you have them.

The main indictment goes after the vendors who provided services at Carder.su, which includes Carder.info, Carder.su, Crdsu.su, Carder.biz, and Carder.pro.

LEADERSHIP

The name of the Administrator (AKA Admin AKA Support) is known but [REDACTED]. There are two moderators charged in the indictment, one [REDACTED] AKA Graf and the other unknown, called JOHN DOE 4, AKA MAXXTRO.

Vendors

Kostyukov, AKA Temp, AKA Klbs, is a vendor of Cashout Services at Carder.su, receiving a fee between 45% and 62% of the total funds laundered in exchange for providing members with cashout.

Boozer, AKA XXXSimone, AKA G4, AKA El Padrino, AKA Mr. Right, AKA mrdc87, is a vendor of Dumps at Carder.su. He sells dumps for between $15 and $150 each, depending on the quantity and the geographical location. United States dumps are least expensive, and European dumps are most expensive.

[REDACTED Defendant #5] AKA RAY is a vendor of Counterfeit Plastic. He sells blank cards for $20 to $25, with a minimum order of 50 cards. Embossed counterfeit credit cards were $65 to $75 with a minimum order of 10. He is also a vendor of Dumps – stolen credit card account numbers – ranging from $30 to $45 each.

[REDACTED Defendant #8] AKA CC—Trader AKA Kengza is a vendor of Fullz or credit cards along with the cardholder information: name, date of birth, Social Security Number, address, telephone number, mother’s maiden name, ATM PIN, Expiration Date, and the CVV number or the security code on the back of the card for $20 each with a minimum order of $200. He also sells Paypal accounts for $10 each. He also sells access to online banking accounts with Fullz identification information for between $140 and $200, depending on the balance in the victim’s account.

[REDACTED Defendant #14], AKA Track2, AKA Bulba, AKA nCux, is a vendor of dumps (ICQ#572019043/164419326/460085653). He has his own website that he advertises to sell his dumps that allows users to do searches for the types of cards they want and to pay using Liberty Reserve dollars (an online currency). Card prices are approximately $20 each.

Mukhtar, AKA Caliber, is a vendor of Counterfeit Plastic and Counterfeit Credit Cards as well as Counterfeit Holograms and Signature panels. Blank plastic was sold for $15, embossed credit cards for $20. Cards with photos or chips were $25 unembossed or $30 embossed. Cards with both chip and photo were $30 unembossed or $35 embossed. His prices were negotiable based on volume.

[REDACTED Defendant #16] AKA Patistota is a vendor of CVVs as well, with a custom website that allowed buyers to shop for cards at specific banks by their BINs (Bank Identification Numbers, the prefix of a Visa or MasterCard number), and offered a service for testing whether the CVV on a card was valid.

[REDACTED Defendant #17] AKA Source is a vendor of dumps, which he sells from $12 to $150 each depending on quantity and geographical location. He also advertised his own specialty site on Carder.su which allows members to lookup cards for sale by BIN.

[REDACTED Defendant #18] AKA C4rd3R is a vendor of CVVs and Fullz on Carder.su, and offers member-to-member ICQ chats.

[REDACTED Defendant #19] AKA Bowl is a vendor of CVVs at Carder.su, and advertises his own website on Carder.su websites.

[REDACTED Defendant #20] AKA Dorbik AKA Matad0r is a vendor of Bullet Proof Hosting services. Bulletproof hosting guarantees that websites hosted in these locations will not be shut down, even if they are blatantly hosting criminal content. Other criminals hosted carding forums and phishing sites on Dorbik’s services.

John Doe 3, AKA Gruber, is a vendor of counterfeit identification documents in the Carder.su organization. He makes cards for Arizona, California, Florida, Georgia, Hawaii, Illinois, Louisiana, Nevada, New Jersey, Ohio, Pennsylvania, Rhode Island, South Carolina, Texas, and Wisconsin, as well as British Columbia, Canada. (By pricing and state selection, it is clear that Gruber and Haggerty are working together.)

John Doe 5, AKA Elit3, is a vendor of Fullz which he sells for $5 to $7 each with a minimum order of $15. He also sells Enroll data (all the personal information in a Fullz, plus login information for an online bank account) for $15 to $20 if the Enroll also included an ATM PIN.

John Doe 6, AKA Fozzy, is a vendor of dumps in the Carder.su organization with prices from $12 to $100 depending on quantity and geographic location.

John Doe 7, AKA Vitrum, AKA Lermentov, is a vendor of dumps in the Carder.su organization, priced between $15 and $100 depending on quantity and geographic location.

[REDACTED Defendant #35], AKA Panther, AKA Euphoric, AKA Darkmth, is a vendor of dumps in the Carder.su organization with prices beginning at $20 for United States dumps.

John Doe 8, AKA TM, is a vendor of dumps and CVVs in the Carder.su, which he sells through his own website advertised on Carder.su.

John Doe 9, AKA Zo0mer, AKA Deputat, is a vendor of stolen Paypal accounts, including names and passwords, as well as proxies (for hiding member’s true IP addresses while performing transactions) and Fullz. He also provided Credit Card testing services, and information services, including lookups of Social Security numbers, Dates of Birth, and Mother’s Maiden Names. He sold dumps for between $15 and $150 depending on quantity and geographic location.

John Doe 10, AKA Centurion, is a vendor of dumps in the Carder.su organization which he sold for between $15 and $80 depending on quantity and geographic location.

John Doe 11, AKA Consigliori, is a vendor of dumps in the Carder.su organization and sells blank plastic cards for $15 or embossed credit cards for $20 each.

More on the Charges

For example, one charge lists all of those charged with trafficking in false identities, and gives one example of a purchase date from each vendor, with dates ranging from January 23, 2009 to April 7, 2011, and showing what state the driver's license was for, including many in Nevada, some in New York, and others in Texas, Georgia, and Virginia.

To show the Conspiracy charges, each charge provides evidence of at least two of the defendants communicating and agreeing to be involved in criminal activity.

For the "Possession of Document-making Implements" charge, an example is that Montecalvo was found to have laminates used in the production of counterfeit Illinois driver's licenses; and Photoshop templates for creating counterfeit Maryland and Florida driver's licenses.

Several of the members, including REDACTED #8, 12, and 16, and Lofton, Harrison, Thomas, Maxxtro, and Elit3 are shown committing fraud by making charges using cards on certain dates belonging to certain named people. Dates range from MAXXTRO in November of 2006 to REDACTED #16 on September 16, 2010.

The "Possession of more than 15" cards charges are spelled out by showing how many provably counterfeit cards each charged user was shown to have on a particular date (presumably when a search was performed or an email was sent or received containing that information). Some were as low as 17 for Fozzy on February 15, 2007, and as high as "More than 490" for REDACTED #7. Dates of evidence range from February 13, 2007 to June 14, 2011. That's right, bad guys! Even if you "got out of the game" five years ago, you can still be charged for your activities at that time.

Wednesday, March 21, 2012

Tonight's Rock Center with Brian Williams episode talked about the September 2010 "Trident BreACH" case. One of the things that the students in the UAB Computer Forensics Research Laboratory learn is that Cybercrime investigation is a community event. Hundreds of researchers around the world have been tracking cybercriminals who use malware, including Zeus.

UAB now provides a daily report to law enforcement called "Emerging Threats by Email" which regularly documents continued Zeus-related malware threats delivered by spam email. This week there have been several new "social engineering" scams that attempt to convince the email recipient to click on a link.

The UAB Spam Data Mine currently gathers and analyzes more than a million new spam messages each day. Here are some of the Zeus threats we've seen in the spam in the past 72 hours.

The spam message here uses the subject:

J.P. Morgan ACCESS Action Required-Password Reset

The email says that the "Security Administrator" has reset your password to a temporary password, and now you need to logon at "www.jpmorganaccess.com"

Only the link doesn't actually go to JP Morgan. There are more than fifty websites that are actually linked here, each one hacked to include a new subdirectory that contains a file full of redirectors. Those redirectors end up at a "Black Hole Exploit Kit" which then infects the visitor with the Zeus trojan.

The Black Hole Exploit Kit is "crimeware" - criminals sell the software as a service that allows the "renter" of the crimeware to infect visitors with the malware of their choice. Brian Krebs has a nice write up about Black Hole Exploit kits and Crimevertising.

This spam message claims to be a notice from the "Commercial Electronic Office" and tells the recipient they need to access their "Deposit Adjustment Notice" by signing on to "the CEO Portal".

This one works exactly like the JP Morgan version. Forty-five different destinations, each a hacked website, contain redirectors which also send visitors to a Black Hole Exploit kit that drops Zeus.

One of the broader social engineering scams this week says that you are about to fly from the Washington DC airport and that it's time to Check-in online. After receiving such an email, the temptation would be to just "take a peek" and figure out whether you've been charged for a flight!

You might have figured out by now that if you click the link, it's going to take you to one of 140 compromised websites which all have redirectors on them that will automatically take your web browser to a Black Hole Exploit kit that will infect your computer with Zeus.

On March 19th we saw around 9,000 of these messages using the following subjects:

2239 | Careerbuilder.com open positions suggestion. 2188 | New position found for you at Careerbuilder.com. 2106 | Careerbuilder.com has found an open position for you 1930 | Careerbuilder.com has found a vacant position for you 1842 | Careerbuilder.com open position notification.

Some of the templates were a bit screwed up, so, while there was a position of "Chief Legal Officer" being offered at "Security Finance Corporation." But another message offers the position of "Chief commercial officer Chief Communications Officer" at "%." (Apparently the variable name for the company didn't match up.)

There's also a "Chief Customer Officer" (whatever that is.)

When the email recipient clicks on the job title, perhaps while saying to themselves "How silly, why would anyone want me to be the Chief Legal Officer? I'm not even a lawyer!" they aren't taken to CareerBuilder, but to one of the 100+ websites that have each been hacked to place a set of redirectors that sends the visitor to a Black Hole Exploit kit, which will infect the visitor with Zeus.

In the very most recent of these "BlackHole to Zeus" malware campaigns, LinkedIn is being imitated. The LinkedIn invitation claims to be from "Your classmate", but guess what happens if you click one of the 820 advertised URLs, each disguised as your "friend's" name?

Yes, it loads several redirectors, and then sends them to a Black Hole Exploit kit that infects the visitor with Zeus!

- 173.255.195.167 (slickcurve.com) a computer in New Jersey - 64.90.51.63 (dosimedio.com) a computer in Brea, California - 213.152.26.166 (dynolite.eu) a computer in France

But all of those computers are also compromised by the criminal to host the malware. Two of the domains are more than four years old!

The copy of Zeus that gets downloaded is 283,160 bytes in size and has an MD5 of 424c6b3afcde978b05cef918f04df759.

The current VirusTotal report shows that 15 of 43 current anti-virus products will detect this file as malware, although currently only Kaspersky, Microsoft, and Norman call it by ZeuS's most common name, Zbot.

Tuesday, March 20, 2012

Today the Russian MVD and FSB have announced the arrest of eight cybercriminals who have stolen more than 60 million rubles ($2 million USD) from at least ninety victim bank accounts in the charges documented in this case.

The Ministry of Internal Affairs (Ministerstvo Vnutrennikh Del or Министерство внутренних дел) better known as the MVD has a computer crimes unit known as "Department K". In this case they worked together with the Russian Federal Security Service's Center for Information Security. (The Federal Security Service, or FSB for Federal'naya sluzhba bezopasnosti, Федеральная служба безопасности is the equivalent to the FBI in the United States.)

Similar to charges brought in the United States against cyber criminals, the MVD Press Release only documents charges that can be proven beyond any reasonable doubt. The total activities of these criminals are likely to greatly exceed what can be formally charged. The formal charges are significant though.

According to Russian computer forensics and investigations company, Group-IB, the Russian government received assistance in the investigation from Group-IB as well as Dutch company Fox-IT. Group-IB says that the group primarily used the malware families Win32/Carberp and Win32/RDPdor.

The Carberp trojan is a financial crimes trojan that has been said to have "High Damage Potential" by anti-virus companies like Trend Micro. Trend was able to show some interesting statistics about who was infected with at least one version of CARBERP by "sink-holing" the CARBERP Command and Control server. S21Sec also did some great research on how to decrypt Carberp communications.

Carberp has continued to evolve and add functionality beyond simple banking credential theft. More recently Carberp has been used for DDOS attacks and to grant remote control access to infected computers, giving the criminals access to everything on the computer, or the ability to use that computer to mask origins of other attacks.

Department K has been tracking these particular criminals since October of 2011, and says the group was run by two brothers, born in 1983 and 1986. One of those brothers was already a known criminal having a record related to real estate fraud.

This particular gang of eight criminals would gain access to banking credentials and cause money to be electronically transferred to accounts controlled by the criminals. They actually rented office space under the guise of a legal computer company and spent their days taking remote control of compromised computers in order to set up the fraudulent banking transactions. Once the money had been transferred to accounts controlled by the gang, it was withdrawn from a variety of ATM machines in the Moscow area.

The malware was distributed by hacking into popular Internet sites and leaving traps, including the websites of some prominent newspapers.

All of the criminals were arrested simultaneously in cooperation between the MVD and the FSB, from the botnet administrator all the way down to the criminals who made the ATM withdrawals.

If I'm reading the Russian translation correctly, the ringleader is in custody, his elder brother was released on 3 million rubles bond, and the other six are under house arrest.

It is not known at this time how this arrest will impact other use of the CARBERP trojan. The trojan continues to be active, with criminals continuing to take advantage of the lack of enforcement of domain name registration rules, and the gullibility of human computer users. One quick example of each.

One of the domains associated with CARBERP recently was: n9ewpon98euohfe.org

See if you can spot the inaccuracy in that WHOIS data? Did you pass? Of course! It's a Russian phone number (+86) claiming to be in China! Oh, the fact that trgtrf may not be a valid postal code, or name, or address, might also be a hint. Rather strange that this Russian in China chooses to use as his nameserver "Primaryns.kiev.ua" as well.

On the Social Engineering front, Trusteer CEO Amit Klein recently blogged about a Facebook related scam being pushed to users infected with Carberp. In that scam, users were told that their Facebook account was locked, and that they needed to provide a 20 Euro "Ukash Voucher #" to unlock the account:

(click image to visit Trusteer blog article).

Ukash started in the United Kingdom (UK-cash = Ukash?) but now has partnerships with certain mobile phone companies and with Mastercard.

Saturday, March 17, 2012

On Friday, March 16, 2012, the United States Secret Service announced the results of "Operation Open Market" in a headquarters press release lead by A.T. Smith, the Assistant Director for Investigations. (Open Market press release can be found at OpenMarket.)

They announced charges against 50 individuals in three separate indictments. One indictment of 39 defendants (with 16 of those individuals yet to be arrested, eleven of which are still listed as John Does), another indictment charging seven individuals, and a third indictment charging four individuals.

Arrested in the operation are people in California, Florida, New York, Georgia, Michigan, Ohio, New Jersey, and West Virginia. During the search warrants executed on March 16 counterfeit credit card manufacturing equipment, electronic media, and even an ATM machine were seized. All three indictments were unsealed in Las Vegas.

All of the defendants were said to be "members, associates, or employees" of a criminal organization called "Carder.su" where "su" refers to the old Internet Top Level Domain for "Soviet Union."

Carder.su has been around since at least late 2007, originally registered to "Maria A Ageeva, 886824@mail.ru" and for some time using the gmail account "cardersu@gmail.com".

To join Carder.su, criminals had to be "vouched" into the forum by two existing members. The site is no longer active, with members being sent to the newer sites run by the same admin, crdrsu.su and carder.pro.

Carder.pro receives an average of 777 visitors per day, 372 from the United States, 218 from Russia, and 23 from Albania. (source: Alexa.com) (Carder.pro has been live for about 14 months, registered by Maria A Ageeva, cardersu@gmail.com.) To join Carder.pro, members must pay a fee of 33 "Liberty Reserve" or "WebMoney" dollars.

Jonathan Edward Vergnetti

While we wait for the names of other "Open Market" criminals to be released, I thought it might be interesting to look at one of those named so far who has plenty of familiarity with Identity Theft, Carding, and the Legal System, Jonathan Vergnetti. Often in the case of these type of law enforcement "Operations" the operation combines recent arrests that clearly are related. In the case we'll examine today, the arrest actually occurred in June of 2010, but the new information is that the previously undisclosed "internet" source of Vergnetti's credit card information is now known to be the Carder.su website.

Making False Statement to Law Enforcement

Jonathan Edward Vergnetti first shows up in the federal courts system after being arrested along with Gabriella Jiminez, Robert Albert Zabala, and Barbra Jo Van Horn back in June of 2010 in the Northern District of Oklahoma.

Jonathan and his friends apparently vacated a Best Western Hotel in Grove, Oklahoma in a hurry and forgot to take with them a shoe box full of credit cards and papers containing lists of other credit card numbers. The hotel manager contacted the Grove, Oklahoma Police Department, and detectives from the GPD did a good job of tracking down people who had worked with Vergnetti. They found six individuals who had been provided with fake credit cards that Vergnetti had created for them, and were encouraged to use the cards to obtain cash in exchange for which they would provide Vergnetti a 60% share of whatever they got. They determined the hotel rooms Vergnetti and his ring were currently operating out of and hit them with search warrants, recovering a laptop computer, equipment for embossing credit cards (printing the names and numbers on them) and writing the magnetic stripes, as well as "a significant number" of identification cards and drivers licenses.

Oklahoma filed state charges on six individuals, but were given false identities for the four featured in this charge. They claimed to be (and presented matching identification cards) David Washington, Mehrdad Maknouni, Susan Lee Nuveman, and Barbara Jo Jeffries. Oklahoma submitted their fingerprints to CJIS and were able to learn the real identities as a result of the fingerprint matches. The four were questioned individually with three refusing to talk, but Barbara Jeffries (later found to be Barbra Jo Van Horn) cooperated and claimed that Vergnetti was the head of a criminal organization consisting of "40 to 50 people" in Oklahoma, California, and Nevada for which he provided credit cards and identities using data he received from "an internet chat room". The group mostly used these identities to obtain cash advances from casinos, including casinos in Las Vegas, but also numerous Indian casinos, including those in Oklahoma.

Vergnetti's First Grand Jury

Although making false statements to an arresting officer was enough to get Vergnetti into the federal system, by the time the Grand Jury was assembled July 8, 2010, there were better charges to bring. In addition to Vergnetti, Jiminez, Zabala, and Van Horn, Joseph Elijah Johnson and Cree Frances Clapper, both in their early twenties, were charged with this Original Indictment.

The indictment says that the gang would obtain pre-paid debit cards and then replace the magnetic stripe information with information that he burned on with his card writing information. He also could emboss names and numbers and the cards, and create matching identification documents in order to withdraw funds from casinos.

Some examples -

May 18, 2010, Vergnetti used a Nevada driver's license with his photo and the name "Berry Decker" at the River Spirit Casino in Tulsa to obtain a cash advance.

At the same casino on the same day, he also used a California driver's license in the name "Stephen Graham" and presented it to law enforcement to avoid revealing his identity.

Superseding Indictment

After the original indictment, which was enough to move procedings forward, a Superseding Indictment was filed on August 3, 2010, which brought sixty additional charges, mostly related to additional detective work to identify some of the particular frauds that were committed by the gang of six.

So, for example, on June 4th, 6th, and 8th, Vergnetti did transactions on cards belonging to Mario Chacon and Kimberly McGee - $1263.99, $1263.99, $1075.00, $1048.99, $1048.99, and $1075.00.

Jiminez used an account belonging to Brandon Walser to do cash advances on June 5th, 6th, 7th, and 8th in the amounts of $1505, $2079.99, $2079.99, $2150, $2050, $2079.99, $2050, $2460, $1540, and $1030.

Van Horn used an account belonging to Hector Ramirez to advance 1540 on June 8th.

Clapper used an account belonging to Floyd Farmer to advance 1612.50, 1540, and 1540 on June 6th and 7th.

Zabala used an account belonging to Phillip Carney to take $500 out on June 11th.

All of those charges are the results of looking at TEN DAYS worth of transactions in Oklahoma by this gang.

The Plea Agreement

Vergnetti decided with the information against him, he would plea out. He agreed to provide $107,235.74 in restitution and the prosecution agreed to drop all but two of the charges. The Plea lists who he has to pay restitution to as part of the bargain:

I, Jonathan Edward Vergnetti, admit that from Spring 2010, through June 8, 2010, I conspired and agreed with my named co-conspirators to possess device making equipment, to produce and use counterfeit access devices with the intent to defraud, and to possess and use the means of identification of other persons.

Generally, my named co-conspirators and I manufactured, possessed, and used counterfeit access devices. We obtained pre-paid debit cards from retail stores, and then frauduntely imprinted the electronic banking information of other persons onto the pre-paid debit cards without the knowledge of the true account holders. We obtained the banking information through a third party source over the internet. We embossed the characters of account numbers and names on the face of the fraudulent access devices. We then used the counterfeit access devices, along with false identification documents, to obtain cash advances at tribal gaming establishments and for other purchases. This conspiracy and the overt acts in the conspiracy occurred in the Northern District of Oklahoma and elsewhere.

Specifically, in order to carry out the objects of the conspiracy and to commit aggravated identity thieft, I admit that on June 6, 2010, I knowingly possessed and used a counterfeit access device that was a means of identification of another indivual to fraudulently obtain a cash advance in the amount of $1048.99 from the Grand Lake Casino located in the Northern District of Oklahoma, and the use of the counterfeit access device affected interstate commerce.

The Sentence

Having the plea agreement all lined up that basically said, "pay back the money and we'll only charge you with Conspiracy and Aggravated Identity Theft" on January 31, 2011 Judge James H. Payne, Northern District of Oklahoma, sentenced Jonathan Edward Vergnetti to pay $114,931.74 in restitution (garnishing wages at 50% of income while in prison and 10% of income after prison) until paid. The sentence called for imprisonment of 84 months, which were 60 months for the Conspiracy, and 24 months for the Aggravated Identity theft, which were to run Consecutively.

The Status

According to the Bureau of Prisons Inmate Locator Service, Jonathan Edward Vergnetti, Register # 10908-062, a 40 year old white male, is scheduled to be released on July 14, 2016 and is currently held at the Federal Correctional Institution in Lompoc, California (175 miles northwest of Los Angeles, adjacent to Vandenberg Air Force Base.)